Closed
Bug 852923
Opened 12 years ago
Closed 11 years ago
nsBoxObject::GetPresShell flushes without keeping the doc alive
Categories
(Core :: XUL, defect)
Core
XUL
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main20+][adv-esr1705+])
Attachments
(1 file)
|
579 bytes,
patch
|
bzbarsky
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr17+
akeybl
:
approval-mozilla-b2g18+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
nsBoxObject::GetPresShell keeps a raw pointer to document and calls flush. The flush operation itself should be safe these days, but the raw document pointer may point to a deleted object after the flush, yet we use the document.
Attachment #727143 -
Flags: review?(bzbarsky)
|
||
Comment 1•12 years ago
|
||
Comment on attachment 727143 [details] [diff] [review] patch r=me
Attachment #727143 -
Flags: review?(bzbarsky) → review+
|
Assignee | |
Comment 2•12 years ago
|
||
Comment on attachment 727143 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? It can be a bit tricky, since the code is for XUL elements and one have to figure out a way to make chrome to adopt mContent element to another document or something similar. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? It is quite obvious what is going wrong, so need to be creative when figuring out the commit message. Perhaps I just leave out the commit message. Have just bug number and r=... Which older supported branches are affected by this flaw? All Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Same code everywhere. old code. How likely is this patch to cause regressions; how much testing does it need? Extremely likely to cause regressions
Attachment #727143 -
Flags: sec-approval?
Attachment #727143 -
Flags: approval-mozilla-esr17?
Attachment #727143 -
Flags: approval-mozilla-beta?
Attachment #727143 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
status-b2g18:
--- → affected
status-b2g18-v1.0.1:
--- → affected
status-firefox19:
--- → wontfix
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox22:
--- → affected
status-firefox-esr17:
--- → affected
Keywords: csec-uaf,
sec-critical
OS: Linux → All
Hardware: x86_64 → All
|
||
Comment 3•12 years ago
|
||
Since this is tricky to exploit, internally reported, and highly likely to cause regressions we should hold off until earlier in FF21 when it gets on Beta and not take this in FF20.
|
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 4•11 years ago
|
||
(In reply to lsblakk@mozilla.com from comment #3) > Since this is tricky to exploit, internally reported, and highly likely to > cause regressions we should hold off until earlier in FF21 when it gets on > Beta and not take this in FF20. Er oops, I missed quite important part from the word. *un*. Highly unlikely to cause regressions. Sorry.
|
||
Comment 5•11 years ago
|
||
Comment on attachment 727143 [details] [diff] [review] patch sec-approval+ for checkin after 4/9.
Attachment #727143 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Whiteboard: [checkin after 4/9]
|
|
||
Updated•11 years ago
|
|
||
Comment 6•11 years ago
|
||
Going to clear the check-in embargo and try to get this into 20 based on comment 4. Olli, please wait to land until Lukas (or another driver) says whether they'll agree to take this on beta or not.
tracking-b2g18:
--- → +
tracking-firefox20:
--- → +
tracking-firefox21:
--- → +
tracking-firefox22:
--- → +
tracking-firefox-esr17:
--- → +
Whiteboard: [checkin after 4/9]
|
|
||
Updated•11 years ago
|
|
|
||
Comment 7•11 years ago
|
||
Comment on attachment 727143 [details] [diff] [review] patch Thanks for the correction, in that case we can take this sec-critical fix for the last FF20 beta - please land to branches asap.
Attachment #727143 -
Flags: approval-mozilla-esr17?
Attachment #727143 -
Flags: approval-mozilla-esr17+
Attachment #727143 -
Flags: approval-mozilla-beta?
Attachment #727143 -
Flags: approval-mozilla-beta+
Attachment #727143 -
Flags: approval-mozilla-aurora?
Attachment #727143 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a0448fd67f91 https://hg.mozilla.org/releases/mozilla-aurora/rev/c3107b4bd85a https://hg.mozilla.org/releases/mozilla-beta/rev/3c440715a9b2 https://hg.mozilla.org/releases/mozilla-esr17/rev/5c097cbce381
|
||
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a0448fd67f91
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
|
||
Updated•11 years ago
|
Whiteboard: [adv-main20+][adv-esr1705+]
|
||
Comment 10•11 years ago
|
||
Ryan - would you mind landing this to mozilla-b2g18?
Flags: needinfo?(ryanvm)
|
|
||
Updated•11 years ago
|
Attachment #727143 -
Flags: approval-mozilla-b2g18+
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•